Anticensorship in the Internet's Infrastructure

I’m pleased to announce a research result that Eric Wustrow, Scott Wolchok, Ian Goldberg, and I have been working on for the past 18 months: Telex, a new approach to circumventing state-level Internet censorship. Telex is markedly different from past anticensorship efforts, and we believe it has the potential to shift the balance of power in the censorship arms race.

What makes Telex different from previous approaches:

Telex operates in the network infrastructure — at any ISP between the censor’s network and non-blocked portions of the Internet — rather than at network end points. This approach, which we call “end-to-middle” proxying, can make the system robust against countermeasures (such as blocking) by the censor.

Telex focuses on avoiding detection by the censor. That is, it allows a user to circumvent a censor without alerting the censor to the act of circumvention. It complements anonymizing services like Tor (which focus on hiding with whom the user is attempting to communicate instead of that that the user is attempting to have an anonymous conversation) rather than replacing them.

Telex employs a form of deep-packet inspection — a technology sometimes used to censor communication — and repurposes it to circumvent censorship.

Other systems require distributing secrets, such as encryption keys or IP addresses, to individual users. If the censor discovers these secrets, it can block the system. With Telex, there are no secrets that need to be communicated to users in advance, only the publicly available client software.

Telex can provide a state-level response to state-level censorship. We envision that friendly countries would create incentives for ISPs to deploy Telex.

The Problem

Government Internet censors generally use firewalls in their network to block traffic bound for certain destinations, or containing particular content. For Telex, we assume that the censor government desires generally to allow Internet access (for economic or political reasons) while still preventing access to specifically blacklisted content and sites. That means Telex doesn’t help in cases where a government pulls the plug on the Internet entirely. We further assume that the censor allows access to at least some secure HTTPS websites. This is a safe assumption, since blocking all HTTPS traffic would cut off practically every site that uses password logins.

<!– –>

Many anticensorship systems work by making an encrypted connection (called a “tunnel”) from the user’s computer to a trusted proxy server located outside the censor’s network. This server relays requests to censored websites and returns the responses to the user over the encrypted tunnel. This approach leads to a cat-and-mouse game, where the censor attempts to discover and block the proxy servers. Users need to learn the address and login information for a proxy server somehow, and it’s very difficult to broadcast this information to a large number of users without the censor also learning it.

How Telex Works

Telex turns this approach on its head to create what is essentially a proxy server without an IP address. In fact, users don’t need to know any secrets to connect. The user installs a Telex client app (perhaps by downloading it from an intermittently available website or by making a copy from a friend). When the user wants to visit a blacklisted site, the client establishes an encrypted HTTPS connection to a non-blacklisted web server outside the censor’s network, which could be a normal site that the user regularly visits. Since the connection looks normal, the censor allows it, but this connection is only a decoy.

The client secretly marks the connection as a Telex request by inserting a cryptographic tag into the headers. We construct this tag using a mechanism called public-key steganography. This means anyone can tag a connection using only publicly available information, but only the Telex service (using a private key) can recognize that a connection has been tagged.

As the connection travels over the Internet en route to the non-blacklisted site, it passes through routers at various ISPs in the core of the network. We envision that some of these ISPs would deploy equipment we call Telex stations. These devices hold a private key that lets them recognize tagged connections from Telex clients and decrypt these HTTPS connections. The stations then divert the connections to anti­censorship services, such as proxy servers or Tor entry points, which clients can use to access blocked sites. This creates an encrypted tunnel between the Telex user and Telex station at the ISP, redirecting connections to any site on the Internet.

<!– –>

Telex doesn’t require active participation from the censored websites, or from the non-censored sites that serve as the apparent connection destinations. However, it does rely on ISPs to deploy Telex stations on network paths between the censor’s network and many popular Internet destinations. Widespread ISP deployment might require incentives from governments.

Development so Far

At this point, Telex is a concept rather than a production system. It’s far from ready for real users, but we have developed proof-of-concept software for researchers to experiment with. So far, there’s only one Telex station, on a mock ISP that we’re operating in our lab. Nevertheless, we have been using Telex for our daily web browsing for the past four months, and we’re pleased with the performance and stability. We’ve even tested it using a client in Beijing and streamed HD YouTube videos, in spite of YouTube being censored there.

Telex illustrates how it is possible to shift the balance of power in the censorship arms race, by thinking big about the problem. We hope our work will inspire discussion and further research about the future of anticensorship technology.

Just as with Tor and other client-based systems, users need to trust that nobody has tampered with the software they’re installing. Delivering software with integrity, though not an easy problem, is more tractable than delivering secrets to the masses without a repressive government learning them–Telex makes this part unnecessary.

| 2. Can easily be used to fool the trusting user in consuming content other than expected

This is what HTTPS is for. The censor or any ISP on the path between the user and the website can already replace content if the content is delivered over plain old HTTP. If the user accesses a secure HTTPS site through Telex, the integrity is assured in the same way as when not using Telex.

| 3. Censors know how to inspect headers too.

Yes! In fact, we assume that the censor can inspect and modify any traffic to or from the user. The steganographic marker that Telex uses to identify connection requests is based on public-key cryptography and can’t be detected unless you have the Telex stations’ private key.

There are a lot of other traffic features that Telex needs to get right in order to disguise the proxied connections. We address many of them already, and the paper describes approaches for addressing others in response to increasing sophistication on the part of the censor.

I haven’t read up on public-key cryptography, but I’m under the assumption that it would have to add more information to the packet than is strictly necessary for a basic communication.

Any censor noticing a packet that is “heavier” than it needs to be should be able to figure out that something is going on without understanding exactly what the message is. And all they need to do is “detect” not “read” the message, in order to pull the plug.

Or does public-key crypto somehow not add any additional data to the packet?

Yes, that much is obvious. (I hate to sound like a bastard, but you’re starting out by saying you don’t have any idea what you’re talking about.)

“does public-key crypto not add any additional data”

The fact that the decoy site is HTTPS means that there is already public-key information in the packet. The Telex client repurposes that information to do two things simultaneously: first, to apparently connect to the decoy site, and second, to secretly signal to the Telex station, in a way that can only be decoded by the Telex private key, that this is actually a Telex request.

To answer your question: Telex does not add any information to the HTTPS request that flags it as a Telex request to the censor. Only the Telex private key can determine that the request is actually to Telex.

The fact that the connection is already HTTPS means that nothing should be able to snoop it. Are you suggesting that the Telex stations installed at ISPs are now somehow able to decrypt every HTTPS connection going through the ISPs so that they can detect, read and act on Telex keys?

The Telex stations are able to decrypt only the HTTPS connections containing Telex requests. This is because the Texex requests were specifically intended to be detected and decrypted by the Telex station. All other normal HTTPS traffic remains as unreadable as always.

I am not the original poster, but I think you are missing their point. While the censor cannot (we assume for the purposes of this discussion) decrypt the HTTPS traffic, the censor can perform some “traffic analysis” on the size of the HTTPS request and it’s destination IP address. If the header that Telex adds, although encrypted, does add a statistically noticeable number of bytes to the HTTPS request (or its response from the Telex-enabled ISP) , it may be possible for a censor to block it. For example, the censor can see that someone is accessing an IP destination number whose reverse DNS/whois info is associated with “facebook.com” and knows that the first requests to (and responses from) facebook are usually the home page or login page and thus the HTTPS requests/responses tend to have N bytes +/- some standard deviation in that initial burst, then if Telex adds ~X more bytes to that than expected, the censor can detect or disrupt the traffic. Perhaps Telex avoids this sort of traffic analysis attack, but the Telex website doesn’t seem to mention it so I sort of presume they haven’t. I haven’t seen the paper though.

Having now skimmed the paper, the core Telex technique does not add a header inside the HTTPS exchange changing its expected length; it basically subverts the nonce used at the very start of the HTTPS traffic with a non-random nonce that the Telex-ISP party can recognize and use to unravel the resulting HTTPS exchange. I’ve also learned that TLS implementations do add random numbers of blocks to messages to prevent this sort of trivial traffic analysis, although I do suspect that certain forms of traffic analysis remain a threat to telex (and the paper acknowledges this.)

Trust is an interesting thing. I have decided that I do not trust you and will show you exactly why it would be unwise to do so.

Anon says “You need to trust the ISP, the Telex client, etc.” and you, Alex reply in a totally deceptive manner as follows “Just as with Tor and other client-based systems, users need to trust that nobody has tampered with the software they’re installing. Delivering software with integrity, though not an easy problem, is more tractable than delivering secrets to the masses without a repressive government learning them–Telex makes this part unnecessary.”

1. You omit the most important part. That you must trust the ISP. You disregarded the mot important part of the argument that it requires additional trust.

2. You then obfuscate this omission in the second sentence of what was quoted by making it all about delivering software “with integrity” when there is never, ever any such thing. No software, source or binary, that I am aware of has not been broken “out of the box”. I believe NetBSD came closest but I have never used it.

3. I suggest that this may reveal a mind that emotionally (at least) believes in security by obscurity and values debate above argument. As many have said; security is a process and as not so many people have said it is a process that has ongoing risks that may be minimised but never, ever eliminated.

Tor is dependant on endpoints not being compromised and by having many endpoints minimises the number of conversations that can be compromised. Telex seems to centralise the point of compromise to the ISP. A single point of failure. Telex appears to depend on the ISP and the censor being different entities contending with each other. Given that the ISP is usually a business dependant on the censor this is pretty much a fantasy.

If you dispute any of this feel free to use the email address I supplied but please don’t send me “debate” but discussion. Thank you for your time.

Read the article… the ISP that would be encouraged to install Telex are in FREE countries who are OUTSIDE the control of the censoring governments. The people who live inside the censoring countries would gladly trust Telex because it’s still better than, uh, NOT being able to get to the sites they want.

Regarding #1, who or what holds the private key, and how will it be kept secret from all the worlds spies?

Presumably the keys needs to be changed regularly, which means users will have to keep up to date with public keys. It also means that if censors record samples of old packets, they will eventually be able to find out who has been using Telex clients the send police to knock on their door.

(I’m mostly playing devil’s advocate here, I think this is a fine idea, and ISPs should take it up. As long as potential users understand the risks and limitations).

#1 and what ISPs outside of China are going to be “trusted” if they’re thought to host these telex stations?
#2 I agree, exploit vectors definitely need to be considered here.
#3 the steganography could allow (theoretically) undetectable headers… however, I’m sure over time a signature would become detectable… and thus a censor would be able to strip the headers rendering them useless. The censor may not know where the person was trying to get to, but removing the header means the user would just get the mask site they *actually* requested, rendering this approach useless.

My biggest concern is with something like the Great Wall of China… if they start to feel like they’re losing the censorship battle by being able to pick and choose what is censored, will they just cut off all internet access to the outside world? Crazier things have happened recently, so it’s not that far fetched to consider that being a possibility. If they *were* to do this, then what would the repercussions be? We can only speculate, but I doubt anything good would come of it.

It’s a laudible effort though, I take my hat off to these guys, at least they’re trying to come up with viable solutions to a very real and very scary problem. I’ll leave that there, or I’ll end up a rant about my stance on censorship.

With time, everything becomes detectable and you don’t need to determine *what* is going on to know that whatever you’re looking for *is* going on and take steps to mitigate it. For this to be worthy of public deployment it needs to be undetectable over time, or it’s not worth the spend.

Now if only we could get the U.S. population to turn off CNN and Fox News and stop lapping up the propaganda they’re being spoon fed, while being so quick to point fault with it in other censored countries. When the media controls you with constant behavioural conditioning is that any better? You may not be “censored” by the classical definition, but you are still most certainly censored by the way those that control the media wishes you to act in any given situation.

Whatever happened to critical and unbiased reporting? Or was that just a myth fed to us in journalism class?

As we’ve already seen with the new “six strikes” policy, ISPs are too often eager to collaborate with the censors. I doubt very much Comcast is going to install something like this to circumvent the PROTECT-IP act, if it were to pass.

Where does the hardware and software that Cisco and others sell to repressive regimes get installed? Is it a condition that the government places on ISPs?

Commotion Wireless seems like a more realistic approach, though I could be completely wrong.

Thanks for thinking up this approach. Maybe I have not understood it completely, but I wonder about the Telex stations:

how do those get distributed? Or, more importantly,
how is their private key distributed?
what stops a censor from obtaining stations themselves? Remember April 2010, when China allegedly rerouted 15% of all internet traffic?

The private key must certainly be protected from the adversary in any case. Whether there should be a single private key shared by all stations, or each station generates their own is something we are currently still thinking about. There likely needs to be a PKI for Telex (or rather Telex needs to use an existing PKI) to protect against censors obtaining private keys, or clients from using public keys corresponding to censors.

A Certificate Authority (CA) might be interesting, but I would assume that concept is dead after the Comodo scandal, especially when political interests come into the game, not just mere monetary ones.

A Web of Trust (WoT) seems to work for personal PKs, but when it comes to the few people with access to relevant routers where the Telex stations would be installed, that does not feel feasible to me.

I’m not a networks person, so forgive the perhaps ignorant question. But how do you ensure that the request gets routed through *some* ISP that is functioning as a Telex station? Unless there are an awful lot of Telex stations out there, isn’t it quite likely that the request would simply be handed over to the ostensible request site NotBlocked.com, and never reach Blocked.com?

It’s possible that this will happen, though it’s easy for the client to detect when it does. We discuss this on the Q&A page (How does the client find Telex stations?), but the short answer is that we could publish a list of where the stations were.

The location of Telex stations or how to use them aren’t meant to be secret. While this allows for attacks to be made on them, this is already a problem with anticensorship (or even censorship) systems on the Internet. There are several ways to mitigate attacks on Telex stations, from standard DoS protection, to parallel tag checking and robust, scalable design of the stations.

The client doesn’t force anything – it starts a connection with NotBlocked.com, where a Telex station is on path between client and NotBlocked.com, and issues a request through that to Blocked.com (which is intercepted by Telex and proxied accordingly)

> . Widespread ISP deployment might require incentives from governments.
Why should any government sponsor this? I don’t know of any state that is against internet censorship per se. Or any large ISP for that matter.

The whole point is that governments (even “opposing” ones) would quickly degenerate into “censor and let censor” pacts where one government turns a blind eye to another’s censorship of its citizens in exchange for similar behaviour. In fact, it’s worse than that. The present US-China and/or US-Pakistan relationships are classic studies in how little leverage even “good-minded” governments (if we can somehow convince ourselves to characterize the US government as such) have with rogue regimes.

A few countries are quite good about this, actually. Just because the US sucks doesn’t mean other countries do. Iceland, for instance, is pretty good about it. There remains the problem of getting your traffic to be routed through Iceland (or wherever), though — it sounds like you need multiple, highly-connected countries to be free of censorship across the board for Telex to work well.

Youtube is censored at a DNS level only. No need for VPN’s, proxies or Telexes to watch Youtube here in China.

The notion that the Chinese would “detect” something and then block it is even more ridiculous. They have never operated this way. E.g. VPN’s are easily detected and blocked, yet they target specific consumer VPN’s only. Why? Because business would be impossible without “legitimate” VPN usage and it’s hard to separate the two.

Most VPN blocks that do happen are easily worked around. In some cases they’ve even reversed blocks just hours later. (This because they only “crack down” during special events – just to make a statement, not so much to put one out of business in China.)

The “arms race” is just a way to raise taxes and fund the toys for these researchers. If they had spent some time in China (as a proper researcher would have) they would know that the “arms” are the same blunt knifes they had 15 years ago and that there is no progress, certainly no race.

The developpers of telex aren’t aiming for consumer ISPs, I.e. Comcast, AT&T etc… But for the upstream providers. This could be very useful if something like PROTECT IP gets passed since government controlled DNS blocking is very open to abuse.

Special infrastructure being hosted by an ISP doesn’t sound that good. For example, will it be possible to access Wikileaks from these oppressive nations, using this mechanism? Or The Pirate Bay? Or will Wikileaks etc. be blocked by all ISPs in the chain, as it is considered subversive also in the “free countries”?

Could it be possible to make the Telex nodes simple to run by anyone with a web server, and let the target sites themselves verify the stego-tag?

This way users could prepare keys outside of the country, smuggle the key + client software to the source country, and then use the Telex mechanism to either fish for random servers or use some well-known ones, without involving ISP-based middlemen at all.

1. The website can still be blocked by the censor (unless #2)
2. The public key must be kept hidden from the censor, but known to the clients
3. It’s difficult to know if the website you are using is actually running Telex and providing you with a proxy, or if it’s the censor, providing you with a fake one and spying on your usage (i.e. harder to trust just any old website. A whitelist of trusted sites might fix this, but the censor can just block the list, since they are all actively participating in anticensorship).

If this happened, then the state censor would simply make all of their boundary nodes (boundaries with other countries, I mean) Telex stations. Once they had this set up, they could continue to censor in exactly the same way that they previously could.

It’s a really neat idea technologically, but it sounds like it would just give everyone incentive to hack ISPs. There may be intense secrecy surrounding who has Telex stations, but if that secrecy is ever broken, would it really take very long for China or other governments to break into their network and obtain the private key? Once they have that, they wouldn’t have any trouble detecting Telex connections passing out of their network.

IIUC, you construct a tag by concatenating an element and hash as t = β||h, or equivalently t = β + x*(h % y), where x := 2^ceil(log2(p)) and y := 2^L / x (L is the length of the tag). This creates an entropy deficit of log2(x-p) bits, which you minimize (to avoid detection) by constraining your selection of p to be close to a power of 2.

Instead, you might consider using t = β + p*(h % z), with z := ceil((y – β)/p)? Assuming max(h) >> y – p (i.e. a long hash like SHA-2), this reduces the entropy deficit to O((p/(2^L))^2) bits (i.e. zero). This change would allow you to eliminate your requirement that p be close to a power of 2, because the observed values would be indistinguishable from uniform-random regardless of p.

What you write is correct, but note that p = 2^168 – 2^8 – 1, so x is 2^168, and log_2(x/p) is about (2^{-160} + 2^{-168})/ln(2) ~= 10^{-48} bits of entropy wasted. Note that that’s already the number of bits, not the log of that.

I suspect that the big problem[1] is the dependence upon co-operative CAs: once it becomes known that a CA is willing to issue certificates in its customers’ names to random ISPs, it seems likely that that CA would promptly lose rather a lot of its business from at least the fraction of its customers who know that they depend specifically on the CA never doing this.

The target government could even accelerate the CA’s demise by disrupting, say, 50% of SSL sessions to servers which present SSL certificates signed by a co-operating CA. This wouldn’t be enough to seriously harm business in the target country, but is likely to cause a sufficiently large spike in the server-operator’s customer complaint rate to get them to dump their existing CA immediately.

– Raz

1: Bigger, that is, than finding ISPs who are willing to operate Telex stations for the purpose of subverting, say, the Chinese government but not worried about retaliatory interference in their business. China routinely disrupts trade with whole nations whose heads of government meet with the Dalai Lama et al. Is it such a stretch to imagine that they’ll include in license terms for doing business in China an obligation not to do business with ISPs who operate Telex stations?

I’m sure I’m not giving away anything but obvious strategies here, but why not hack into ISP servers and channel a Telex link and run them as long as you can. Something useful for the the kids to do, with respect. Going on Prague in ’89 to Tunis in ’11 you always seem to have three days around the tipping point when noone knows anything and everything is possible. Plug it in, when, as Bismark said about picking the right political moment, “you hear the sweep of the mantle of God, and you can reach up and grab at its hem”.

I know. Because it’s illegal and yes, I was trolling-lite. But the practice of journalists acting illegally to secure information in the public interest was a live debate long before the News of the World tipped ink over it. And certain human rights activists reserve their rights to break the law to correct a greater injustice. The point is that there’s a lot of discussion about the morality and legal consequences in the human rights and media world, and not just about the mechanics of how their institutions go about breaking the law in the public interest. I just don’t see the same depth of debate surrounding the morality and legality of the unbridled use of high-concept technology like this in the technical community.

On another point, looking at countries such as China, I’m afraid they won’t be reluctant to limit encrypted traffic to whitelisted, domestic sites only. But that shouldn’t deter you or anyone from developing interesting technology. 🙂

Between black and white, there are always shades of gray. In this case, between allowing and banning HTTPS, there is the possibility of interference while accepting certain degree of collateral damage.

It is without doubt extremely costly (economically and politically) for a government to forbid or corrupt the HTTPS protocol entirely, but it is very much manageable to disturb HTTPS to a certain degree, resulting in a less stable, but still usable Internet experience for the general public. As the Chinese government ‘s ongoing experiment with GMail and other Google services shows, decreased availability – instead of a clear ban – is acceptable regarding the cost.

What it concretely means for the proposal at hand, is that a censoring government doesn’t have to be able to detect Telex with any certainty. It can kill a connection even if it suspect it to be a Telex tunnel with 5% probability, and if that disturbs 50% of all regular HTTPS traffics, some government would still find it okay. And to detect a Telex connection is probably not so hard if a gigantic false positive ration of 95% is allowed.

“And to detect a Telex connection is probably not so hard if a gigantic false positive ration of 95% is allowed.”

If you don’t tell us how, this is just hand-waving!

Freedom to Tinker is hosted by Princeton's Center for Information Technology Policy, a research center that studies digital technologies in public life. Here you'll find comment and analysis from the digital frontier, written by the Center's faculty, students, and friends.